Enabling single signon to use Kerberos authentication with
constrained delegation with IBM Cognos Business Intelligence

Resolving The Problem

To be able to use constrained delegation, you must define the service principal names (SPN) for the users that are configured to run the IBM Cognos components and your Microsoft Internet Information Services (IIS) web server's application pool in your Active Directory domain.

If you use Kerberos with constrained delegation, you must add an sAMAccountName user for Content Manager when you configure your gateway. All active and stand by Content Managers must be configured to run under the same account.

If you are configuring single signon to your database servers, you must configure the sAMAccountName for the user who runs the Application Tier Components when you add the Active Directory namespace. All Application Tier Components must be configured to run under the same account.

The SPNs are the users that you enter in the sAMAccountName fields in IBM Cognos Configuration.

For example, assume that you have one user who runs the Content Manager component, another who runs the Application Tier Components, and another who runs your web server's application pool. The Content Manager user is CognosCMUser. The Application Tier Components user is CognosATCUser. The application pool user is IISUser. Each user is in the MyDomain domain.

1. You must set up IIS so that your MyDomain\IISUser is the application pool identity.
2. Run the setspn command for the computer where IIS is running.
   For example:
   setspn -A http/IISServerName MyDomain\IISUser
   setspn -A http/IISServerName.MyDomain.com MyDomain\IISUser
3. Run the setspn command for your IBM Cognos users.
   For example:
   setspn -A ibmcognosba/CognosCMUser MyDomain\CognosCMUser
   setspn -A ibmcognosba/CognosATCUser MyDomain\CognosATCUser
   
   In these commands, you must use ibmcognosba as shown in the examples. The user names and domains must match your environment.
   
   Note: In this example, the sAMAccountName users you must enter are CognosCMUser and CognosATCUser.
4. If you are configuring single signon to your Microsoft SQL Server or Microsoft SQL Server Analysis Services database server, you must set up the SPN for the database server. For more information, see you database server documentation.
5. Finally, you must configure the constrained delegation in the Active Directory Users and Computers administration tool.
   
   On the Delegation tab for all users (IISUser, CognosCMUser, and CognosATCUser), you must select Trust this user for delegation to specified services only and Use Kerberos only to use Kerberos with constrained delegation.
   
   Select Trust this user for delegation to specified services only and Use any authentication protocol if you are using the S4U Kerberos extension.

And then you must add the required SPNs.

1. For the IIUser:
• Search for IISUser, and select the service types http and ibmcognosba.
• Search for DomainController1, and select the service type ldap and GC.
• Search for DomainController2, and select the service type ldap.
• Search for CognosCMUser, and select the service type ibmcognosba.
  
2. For the CognosCMUser:
• Search for DomainController1, and select the service type ldap and GC.
• Search for DomainController2, and select the service type ldap.
• Search for CognosCMUser, and select the service type ibmcognosba.
• Search for CognosATCUser, and select the service type ibmcognosba.
  
3. For the CognosATCUser, you do not need to add any users or service types, as this is the last step in the delegation.
   
   
If you want to configure single signon for the back end datasource, add the MSOLAPSvc3 service, for Microsoft SQL Server Analysis Services (MSAS), or MSQLSVC service, for Microsoft SQL Server. Add the required service for each of the users: IISUser, CognosCMUser, and CognosATCUser.

1. On the computer where you intalled the Gateway, open IBM Cognos Configuration.
2. In the Explorer window, click Local Configuration > Environment.
3. On the computer where you installed Content Manager, open IBM Cognos Configuration.
4. In the Explorer window, under Security > Authentication, and select the Active Directory namespace.
5. Click in the Value column for Advanced properties and then click the edit icon.
6. In the Value - Advanced properties dialog box, click Add.
7. In the Name column, type singleSignonOption.
8. In the Value column, enter one of the following values:
• Enter KerberosS4UAuthentication if you want to use Kerberos authentication first. If Kerberos fails, Service For User (S4U) authentication is attempted. If S4U fails, the user is prompted for credentials.
• Enter S4UAuthentication if you want to use S4U authentication first. If S4U fails, the user is prompted for credentials.
9. In the Value - Advanced properties dialog box, click Add.
10. In the Name column, type trustedCredentialType.
11. In the Value column, enter one of the following values:
• Enter CredentialForTC if you want to save the user's credentials as a trusted credential. For example, if you want to use the credentials to run scheduled jobs.
• Enter S4UForTC if you want to save only the authenticated user name as a trusted credential. The user name is saved in UPN format, and scheduled jobs can be run with the UPN without requiring the user's password.
12. Click OK.
13. Click in the Value column for Application Tier Components sAMAccountName, and enter the sAMAccountName of the user who runs the Application Tier Components. For example, enter MyDomain\CognosATCUser.
    Important: This value is required only if you are configuring single signon to your Microsoft SQL Server or Microsoft SQL Server Analysis Services database server. If you are not configuring single signon to the database server, do not change this value.
14. Click File > Save.
15. Restart the IBM Cognos service.
16. On the computer where you installed the Gateway components, open IBM Cognos Configuration.
17. In the Explorer window, click Environment.
18. Click in the Value column for Content Manager sAMAccountName, and enter the sAMAccountName of the user who runs Content Manager. For example, enter MyDomain\CognosCMUser.
19. Click File > Save.